Improve CMP documentation regarding use of untrusted certs

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/11470)

diff --git a/apps/cmp.c b/apps/cmp.c
index 24a7fcbe6cfd9a89a271e9f0c7a304d66d0769c7..1e4642d466e0a82b3bc3082136311a8e9cf054a9 100644 (file)
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -619,7 +619,7 @@ const OPTIONS cmp_options[] = {
     {"srv_trusted", OPT_SRV_TRUSTED, 's',
      "Trusted certificates for client authentication"},
     {"srv_untrusted", OPT_SRV_UNTRUSTED, 's',
     {"srv_trusted", OPT_SRV_TRUSTED, 's',
      "Trusted certificates for client authentication"},
     {"srv_untrusted", OPT_SRV_UNTRUSTED, 's',

-     "Intermediate certs for constructing chains for CMP protection by client"},
+     "Intermediate certs that may be useful for verifying CMP protection"},

     {"rsp_cert", OPT_RSP_CERT, 's',
      "Certificate to be returned as mock enrollment result"},
     {"rsp_extracerts", OPT_RSP_EXTRACERTS, 's',
     {"rsp_cert", OPT_RSP_CERT, 's',
      "Certificate to be returned as mock enrollment result"},
     {"rsp_extracerts", OPT_RSP_EXTRACERTS, 's',

diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in
index b746d26c33ec167604fc3807b3fbf26dab071e04..a99391ac6d84057002cc1885fe6656587a7c3540 100644 (file)
--- a/doc/man1/openssl-cmp.pod.in
+++ b/doc/man1/openssl-cmp.pod.in
@@ -889,7 +889,7 @@ Trusted certificates for client authentication.
 
 =item B<-srv_untrusted> I<filenames>
 
 
 =item B<-srv_untrusted> I<filenames>
 

-Intermediate certs for constructing chains for CMP protection by client.
+Intermediate CA certs that may be useful when verifying client certificates.

 
 =item B<-rsp_cert> I<filename>
 
 
 =item B<-rsp_cert> I<filename>
 

diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod
index 1bc9ef8cd0489f466fbd64a8f0a2cc8573bfae76..b9b8ffb2e02f1875e85604bade164ed6f716c6fb 100644 (file)
--- a/doc/man3/OSSL_CMP_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_CTX_new.pod
@@ -403,13 +403,13 @@ parameter the entry is cleared.
 OSSL_CMP_CTX_get0_trustedStore() returns a pointer to the certificate store
 containing trusted root CA certificates, which may be empty if unset.
 
 OSSL_CMP_CTX_get0_trustedStore() returns a pointer to the certificate store
 containing trusted root CA certificates, which may be empty if unset.
 

-OSSL_CMP_CTX_set1_untrusted_certs() takes over a list of certificates containing
-non-trusted intermediate certs used for path construction in authentication
-of the CMP server and potentially others (TLS server, newly enrolled cert).
+OSSL_CMP_CTX_set1_untrusted_certs() sets up a list of non-trusted certificates
+of intermediate CAs that may be useful for path construction when authenticating
+the CMP server and when verifying newly enrolled certificates.

 The reference counts of those certificates handled successfully are increased.
 
 OSSL_CMP_CTX_get0_untrusted_certs(OSSL_CMP_CTX *ctx) returns a pointer to the
 The reference counts of those certificates handled successfully are increased.
 
 OSSL_CMP_CTX_get0_untrusted_certs(OSSL_CMP_CTX *ctx) returns a pointer to the

-list of untrusted certs, which my be empty if unset.
+list of untrusted certs, which may be empty if unset.

 
 OSSL_CMP_CTX_set1_clCert() sets the client certificate in the given B<ctx>.
 The public key of this B<clCert> must correspond to
 
 OSSL_CMP_CTX_set1_clCert() sets the client certificate in the given B<ctx>.
 The public key of this B<clCert> must correspond to